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Introduction 


The Computer Forensics Tool Testing (CFTT) program is a joint project of the National 
Institute of Justice (NIJ), the research and development organization of the U.S. 
Department of Justice, and the National Institute of Standards and Technology’s (NIST’s) 
Office of Law Enforcement Standards and Information Technology Laboratory. CFTT is 
supported by other organizations, including the Federal Bureau of Investigation, the U.S. 
Department of Defense Cyber Crime Center, Internal Revenue Service Criminal 
Investigation’s Electronic Crimes Program, and the U.S. Department of Homeland 
Security’s Bureau of Immigration and Customs Enforcement, U.S. Customs and Border 
Protection, and U.S. Secret Service. The objective of the CFTT program is to provide 
measurable assurance to practitioners, researchers, and other applicable users that the 
tools used in computer forensics investigations provide accurate results. Accomplishing 
this requires the development of specifications and test methods for computer forensics 
tools and subsequent testing of specific tools against those specifications. 

Test results provide the information necessary for developers to improve tools, users to 
make informed choices, and the legal community and others to understand the tools’ 
capabilities. This approach to testing computer forensic tools is based on well-recognized 
methodologies for conformance and quality testing. The specifications and test methods 
are posted on the CFTT Web site (http://www.cftt.nist.gov/) for review and co mm ent by 
the computer forensics community. 

This document reports the results from testing the T4 Forensic SCSI Bridge (USB 
Interface) write blocker, against the Hardware Write Blocker (HWB) Assertions and Test 
Plan Version 1.0 and Hardware Write Blocker Device (HWB) Specification, Version 2.0, 
available at the CFTT Web site (http://www.cftt.nist.gov/hardware write block.htm) . 
This specification identifies the following top-level tool requirements: 

• A hardware write block (HWB) device shall not transmit a command to a 
protected storage device that modifies the data on the storage device. 

• An HWB device shall return the data requested by a read operation. 

• An HWB device shall return without modification any access-significant 
information requested from the drive. 

• Any error condition reported by the storage device to the HWB device shall be 
reported to the host. 

Test results for other tools and devices can be found on NIJ’s computer forensics tool 
testing Web page, http://www.oip.usdoi.gov/nii/topics/technology/electronic- 
crime/cftt.htm . 
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Test Results for Hardware Write Block Devices 


Device Tested: 
Model: 

Serial No: 
Firmware: 


T4 Forensic SCSI Bridge 1 

14 

000ECC010004D0B5 
Jun 27 2007 09:40:43 


Host to Blocker Interface: USB 
Blocker to Drive Interface: SCSI 


Supplier: 

Address: 


Tableau, LLC 

N8 W22195 Johnson Drive, Suite 100 
Waukesha, WI 53186 
http://www.tableau.com/ 


1 Results Summary by Requirements 

• An HWB device shall not transmit a command to a protected storage device 
that modifies the data on the storage device. 

For all test cases run, the device always blocked any commands that would have 
changed user or operating system data stored on a protected drive. 

• An HWB device shall return the data requested by a read operation. 

For all test cases run, the device always allowed commands to read the protected 
drive. 

• An HWB device shall return without modification any access-significant 
information requested from the drive. 

For all test cases run, the device always returned access-significant information 
from the protected drive without modification. 

• Any error condition reported by the storage device to the HWB device shall 
be reported to the host. 

For all test cases run, the device always returned error codes from the protected 
drive without modification. 

2 Test Case Selection 

Since a protocol analyzer was available for the interface between the blocker and the 
protected drive, the following test cases were appropriate: 


1 Tableau produces this write block device for resale under various partner labels. See 
http://www.tableau.com for information on resellers. 
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• HWB-01 

• HWB-03 

• HWB-05 

• HWB-06 

• HWB-08 

• HWB-09 


For test case HWB-03, two variations were selected: file (attempt to use operating 
system commands to create and delete files and directories from a protected drive) and 
image (use an imaging tool to attempt to write to a protected drive). 


3 Testing Environment 

The tests were run in the NIST CFTT lab. This section describes the hardware (test 
computers and hard drives) available for testing. 

3.1 Test Computers 

Two test computers were used: SamSpade and Max. 

SamSpade has the following configuration: 

Intel® Desktop Motherboard FICIC-VL67 (865G; S478; 800MHz) 

BIOS Phoenix Award version v6.00PG 
Intel® Pentium™ 4 CPU 

Plextor DYDR PX-716A, AT API CD/DVD-ROM Drive 

Western Digital Corporation WD800JB-00JJC0, 80 GB ATA disk drive 

1.44 MB floppy drive 

Three IEEE 1394 ports 

Four USB ports 

Max has the following configuration: 

Intel Desktop Motherboard D865GB/D865PERC (with ATA-6 IDE on board controller) 

BIOS Version BF86510A.86A.0053.P13 

Adaptec SCSI BIOS V3.10.0 

Intel® Pentium™ 4 CPU 3.4Ghz 

2577972KB RAM 

SONY DVD RW DRU-530A, ATAPI CD/DVD-ROM drive 
1.44 MB floppy drive 

Two slots for removable IDE hard disk drives 
Two slots for removable SATA hard disk drives 
Two slots for removable SCSI hard disk drives 
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3.2 Protocol Analyzer 

A Data Transit bus protocol analyzer (Bus Doctor Rx) was used to monitor and record 
commands sent from the host to the write blocker. Two identical protocol analyzers were 
available for monitoring commands. 


One of two Dell laptop computers (either Chip or Dale) was connected to each protocol 
analyzer to record commands observed by the protocol analyzer. 

3.3 Hard Disk Drives 

One SCSI interface device was used in testing: 

. Drive label 25 is a SEAGATE ST373405LC with 143374741 sectors (73 GB). 


Drive label: 25 

Partition table Drive /dev/sda 
143374741 total number of sectors 
Non-IDE disk 

Model (ST373405LC ) serial # (3EK020ZB00002149H4DV) 


N 


Start DBA 

Length 

Start C/H/S 

End C/H/S boot 

Partition type 

1 

# 

000000063 

037752687 

0000/001/01 

1023/254/63 Boot 

OC 

Fat32X 

2 

X 

037752750 

067890690 

1023/000/01 

1023/254/63 

OF 

extended 

3 

s 

000000063 

063681597 

1023/001/01 

1023/254/63 

07 

NTFS 

4 

X 

063681660 

004192965 

1023/000/01 

1023/254/63 

05 

extended 

5 

s 

000000063 

004192902 

1023/001/01 

1023/254/63 

06 

Fatl6 

6 

X 

067874625 

000016065 

1023/000/01 

1023/254/63 

05 

extended 

7 

s 

000000063 

000016002 

1023/001/01 

1023/254/63 

04 

Fatl6 

8 

s 

000000000 

000000000 

0000/000/00 

0000/000/00 

00 

empty entry 

9 

.if 

000000000 

000000000 

0000/000/00 

0000/000/00 

00 

empty entry 

10 

p 

000000000 

000000000 

0000/000/00 

0000/000/00 

00 

empty entry 


3.4 Support Software 

The software in the following table was used to send commands to the protected drive. 
One widely used imaging tool, IXimager, was used to generate disk activity (reads and 
writes) consistent with a realistic scenario of an accidental modification of an unprotected 
hard drive during a forensic examination. This does not imply an endorsement of the 
imaging tool. 


Program 

Description 

sendSCSI 

A tool to send SCSI commands wrapped in the USB or IEEE 1394 
(FireWire) protocols to a drive. 

FS-TST 

Software from the FS-TST tools was used to generate errors from the hard 
drive by trying to read beyond the end of the drive. The FS-TST software 
was also used to setup the hard drives and print partition tables and drive 
size. 

IXimager 

An imaging tool (ILook IXimager version 2.0, February 2006) for test case 
04-img. 
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4 Test Results 

The main item of interest for interpreting the test results is determining the conformance 
of the device with the test assertions. Conformance with each assertion tested by a given 
test case is evaluated by examining the Blocker Input and Blocker Output boxes of the 
test report summary. 


4.1 Test Results Report Key 

A summary of the actual test results is presented in this report. The following table 
presents a description of each section of the test report summary. 


Heading 

Description 

First Line 

Test case ID; name, model, and interface of device tested. 

Case Summary 

Test case summary from Hardware Write Blocker (HWB) 
Assertions and Test Plan Version 1.0. 

Assertions Tested 

The test assertions applicable to the test case, selected from 
Hardware Write Blocker (HWB) Assertions and Test Plan 
Version 1.0. 

Tester Name 

Name or initials of person executing test procedure. 

Test Date 

Time and date that test was started and completed. 

Test Configuration 

Identification of the following: 

1. Host computer for executing the test case. 

2. Laptop attached to each protocol analyzer. 

3. Protocol analyzers monitoring each interface. 

4. Interface between host and blocker. 

5. Interface between blocker and protected drive. 

6. Execution environment for tool sending commands 
from the host. 

Hard Drives Used 

Description of the protected hard drive. 

Blocker Input 

A list of commands sent from the host to the blocker. 

For test case HWB-01, a list of each command code 
observed on the bus between the host computer and the 
blocker and a count of the number of times the command 
was observed is provided. 

For test cases HWB-03 and HW— 06, a list of each 
command sent and the number of times the command was 
sent. 

For test case HWB-05, a string of known data from a given 
location is provided for reference. 
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Heading 

Description 



Blocker Output 

A list of commands observed by the protocol analyzer on the 
bus from the blocker to the protected drive. 

For test case HWB-01, a list of each command code 
observed on the bus between the blocker and the protected 
drive and a count of the number of times the command was 
observed is provided. Also, a count of the number of unique 
commands sent (from the Blocker Input box) and a count of 
the number of unique commands observed on the bus 
between the blocker and the protected drive. 

For test cases HWB-03 and HWB-06, a list of each 
command sent and the number of times the command was 
sent. 

For test case HWB-05, a string read from a given location is 
provided for comparison to known data. 

For test case HWB-08, the number of sectors determined for 
the protected drive and the partition table are provided. 

For test case HWB-09, any error return obtained by trying to 
access a nonexistent sector of the drive is provided. 

Results 

Expected and actual results for each assertion tested. 

Analysis 

Whether or not the expected results were achieved. 


4.2 Test Details 


4.2.1 HWB-01 


Test Case HWB-01 Variation hwb-01 T4 Forensic SCSI Bridge USB 


Case Summary: 
Assertioj 
Tested: 


HWB-01 Identify commands blocked by the HWB. 
HWB-AM-01 The HWB shall not transmit any modi 
the protected storage device. 

HWB-AM-05 The action that a HWB device takes 
assigned to the modifying, read or informatics' 
the vendor. 


Tester Name: 
Test Date: 


Test 

;|S®Sifiguratioil{i 


brl _ 

run start Tue Oct 28 15:42:07 2008 
run finish Tue Oct 28 16:21:02 2008 
HOST: Max 

'HOstToBlocker Monitor:: jjjltip 
S&StToBlocker PA: AA00155 
BOStToBlocker Interface: USB 
BlockerToDrive Monitor: Dale 
BlOckerToDrive PA: AA00111 
BlockerToDrive Interface: SCSI 
Run Environment: Linux 


fy 

fo 


ing category operatior 

r any commands 
categories is defined 


i to 

by 
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4.2.3 HWB-03 

Test Case HWB-03 Variation hwb-03-img T4 Forensic SCSI Bridge USB 

Case Summary: HWB-03 Identify commands blocked by the HWB while attempting to modify a 

_ protected drive with forensic tools. _ 

Assertions HWS-AM-01 The HWB shall not transmit any modifying category operation..to 



4 commands sent 

Commands Allowed by Blocker 



July 2009 


Page 11 of 16 


Results for Tableau T4 USB 










4.2.4 HWB-05 


Test Case HWB-05 Variation hwb-05 T4 Forensic SCSI Bridge USB 



Read sector Sip£7 for the string:. 00002/010/08 000000032' 
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About the National Institute of Justice 

NIJ is the research, development, and evaluation agency of the U.S. Department of Justice. 

NIJ's mission is to advance scientific research, development, and evaluation to enhance the 
administration of justice and public safety. NIJ's principal authorities are derived from the 
Omnibus Crime Control and Safe Streets Act of 1968, as amended (see 42 U.S.C. §§ 3721-3723). 

The NIJ Director is appointed by the President and confirmed by the Senate. The Director estab¬ 
lishes the Institute's objectives, guided by the priorities of the Office of Justice Programs, the 
U.S. Department of Justice, and the needs of the field. The Institute actively solicits the views of 
criminal justice and other professionals and researchers to inform its search for the knowledge 
and tools to guide policy and practice. 

Strategic Goals 

NIJ has seven strategic goals grouped into three categories: 

Creating relevant knowledge and tools 

1. Partner with State and local practitioners and policymakers to identify social science research 
and technology needs. 

2. Create scientific, relevant, and reliable knowledge—with a particular emphasis on terrorism, 
violent crime, drugs and crime, cost-effectiveness, and community-based efforts—to enhance 
the administration of justice and public safety. 

3. Develop affordable and effective tools and technologies to enhance the administration of 
justice and public safety. 

Dissemination 

4. Disseminate relevant knowledge and information to practitioners and policymakers in an 
understandable, timely, and concise manner. 

5. Act as an honest broker to identify the information, tools, and technologies that respond to 
the needs of stakeholders. 

Agency management 

6. Practice fairness and openness in the research and development process. 

7. Ensure professionalism, excellence, accountability, cost-effectiveness, and integrity in the 
management and conduct of NIJ activities and programs. 

Program Areas 

In addressing these strategic challenges, the Institute is involved in the following program 
areas: crime control and prevention, including policing; drugs and crime; justice systems and 
offender behavior, including corrections; violence and victimization; communications and infor¬ 
mation technologies; critical incident response; investigative and forensic sciences, including 
DNA; less-than-lethal technologies; officer protection; education and training technologies; test¬ 
ing and standards; technology assistance to law enforcement and corrections agencies; field 
testing of promising programs; and international crime control. 

In addition to sponsoring research and development and technology assistance, NIJ evaluates 
programs, policies, and technologies. NIJ communicates its research and evaluation findings 
through conferences and print and electronic media. 


To find out more about the National 
Institute of Justice, please visit: 

http://www. ojp usdoj.gov/nij 

or contact: 

National Criminal Justice 
Reference Service 
P.O.Box 6000 
Rockville, MD 20849-6000 
800-851-3420 
http://www.ncjrs.gov 



